Every enterprise running microservices on Kubernetes needs an API gateway. The choice affects performance, security, developer experience, and vendor lock-in for years.
I have deployed all four major options in production. Here is an honest comparison.
Feature Comparison
| Feature | Kong | Envoy Gateway | APISIX | Traefik |
|---|---|---|---|---|
| Gateway API support | GA | GA (native) | GA | Beta |
| Protocol support | HTTP, gRPC, WebSocket, TCP | HTTP, gRPC, WebSocket, TCP, UDP | HTTP, gRPC, WebSocket, TCP, UDP | HTTP, gRPC, WebSocket, TCP |
| Rate limiting | Built-in + Redis | External (Envoy ratelimit) | Built-in + Redis | Built-in |
| Authentication | JWT, OAuth2, OIDC, mTLS | JWT, OIDC, ext_authz | JWT, OAuth2, OIDC, mTLS | JWT, OAuth2, forward auth |
| WAF | Plugin (paid) | External integration | Plugin | Not built-in |
| Developer portal | Yes (Enterprise) | No | No | No |
| Plugin ecosystem | 100+ plugins | Envoy filters (C++/Wasm) | 80+ plugins (Lua) | Middleware (Go) |
| Admin API | REST API + GUI | Kubernetes-native only | REST API + GUI | REST API + GUI |
| License | Apache 2.0 (OSS) / Proprietary (Enterprise) | Apache 2.0 | Apache 2.0 | MIT |
| Performance (p99 latency) | ~2-5ms overhead | under 1ms overhead | ~1-3ms overhead | ~2-4ms overhead |
| Control plane | DB-mode or DB-less | Kubernetes CRDs | etcd | Kubernetes CRDs |
When to Choose Each
Kong
Best for: API management with developer portal, plugin marketplace, enterprise support.
Kong is the most feature-complete option. The open-source version handles routing, authentication, and rate limiting. Enterprise adds GUI, developer portal, RBAC, and Vitals analytics.
Watch out for: Performance at high throughput. Kongβs Lua-based plugin execution adds latency compared to Envoyβs compiled filters.
Envoy Gateway
Best for: Pure Kubernetes-native, highest performance, Gateway API-first.
Envoy Gateway is the reference implementation for the Kubernetes Gateway API. If you are building a new platform and want the standards-based approach, this is it. Sub-millisecond overhead.
Watch out for: Less plug-and-play than Kong. Custom logic requires Envoy filters (C++ or Wasm), which have a steeper learning curve than Lua or Go plugins.
Apache APISIX
Best for: High performance with rich plugin ecosystem, no vendor lock-in.
APISIX is fully open-source (Apache 2.0) with no enterprise tier. Plugin ecosystem is mature (Lua-based). Performance is excellent.
Watch out for: Smaller community than Kong or Envoy. etcd dependency adds operational complexity.
Traefik
Best for: Simplicity, Kubernetes auto-discovery, Letβs Encrypt integration.
Traefik is the easiest to set up. It auto-discovers Kubernetes services and configures routing without manual configuration. Built-in Letβs Encrypt for automatic TLS.
Watch out for: Less suitable for complex API management. No built-in WAF. Middleware is simpler than Kong/APISIX plugins.
Production Deployment Pattern
Regardless of which gateway you choose:
Internet β Cloud LB β API Gateway (2+ replicas, anti-affinity)
β
βββββββββββΌββββββββββ
β β β
Rate Limit Auth WAF/Logging
β β β
βββββββββββΌββββββββββ
β
Kubernetes ServicesRequirements:
- Minimum 2 replicas with pod anti-affinity
- Resource limits set (gateway pods should not be evicted)
- Priority class higher than application workloads
- Health checks on the gateway pods
- Separate monitoring for gateway latency and error rates
Related Resources
- Kubernetes Gateway API
- Kubernetes Network Policies
- Istio vs Linkerd
- Enterprise Kubernetes Security
- Zero Trust Architecture
About the Author
I am Luca Berton, AI and Cloud Advisor. I design API architectures for enterprise Kubernetes platforms. Book a consultation.
